Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe
Resource
win10v20210408
General
-
Target
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe
-
Size
120KB
-
MD5
678fff3a5ab12f5af6bbb814d1810b4c
-
SHA1
b088bc6af8ddba1bee212b6f8bf4dcc66002a4ed
-
SHA256
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30
-
SHA512
2904ac506a3959c6ed067ad62416ddfa392486f783f62f2eb97b7fe8b66b3292884d95e60886ca61894e9c041937378ad6dd059f9541f5cb170efd46f334bdfc
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.dconnect.eu/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.tor2web.org/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.cab/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.to/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.link/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion/7CE5-408B-03AA-0006-4CFB
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://decrypttozxybarc.dconnect.eu/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.tor2web.org/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.cab/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.to/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.link/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion/7CE5-408B-03AA-0006-4CFB
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (8)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exewhoami.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" whoami.exe -
Executes dropped EXE 1 IoCs
Processes:
whoami.exepid process 2104 whoami.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
whoami.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion whoami.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion whoami.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
whoami.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation whoami.exe -
Drops startup file 1 IoCs
Processes:
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\whoami.lnk 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
whoami.exe120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\whoami = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" whoami.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce whoami.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\whoami = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" whoami.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\whoami = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\whoami = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run whoami.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ipinfo.io -
Drops file in Windows directory 1 IoCs
Processes:
MicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3140 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 508 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exewhoami.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop whoami.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\\whoami.exe\"" whoami.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exewhoami.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000001a2eceb374fc48337cbdb9be97f67352fad60fbac8910c8c694d15688f56ae582387b9485f114503a21e0b83ceb576b7d1ad1b987dea001903f1 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e7906ab83182d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F4EABA42-DFFF-4930-9E28-FECE047A9B35} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 023f8fb83182d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings whoami.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000036260aac2084d020e4d7308da39ba5d4de177652373fa8ae25f59662194febd0c5cc4cfcbfb07f971bf1faaa0e6b54cfd14812e459cc5dfd5bee42ca5283547b71d05dbb97c5d6f1b150aa5cb56be1dac7e6f02c34122d8085bc855ee5387fd88c50600c1c6423abf915d5869b3d1953f21107fcedb0b612fc7fc6a5cf0ec705566e2786c12b0532805fecc04380f6d4fae929f4d5488d6b2d58fea690a5b36cdf48066467bc085a334eb278ddd3711e318f2ce1f879d512bf65c3045b9ecf745100ac85bcb591582702111bf5d854014b21c9e2e3e359e7f9c7686e76971936dfb4973fbbb722549a9aad447e2ec26753c036638d267a351c9f94556f310d47768673fc61636881a0388cf6977410646a8cdde04fe2b05f4b0bba00e00c8596d0940faca05705d50ffbbe0ae84c1c554fa5ed852eb74412cd2cffe4dcc80858b900e5060c355b3e43031f7352555318492b95911145410b86228250940503fb28e9b498d69b0d76b56f1ad5a02e244a573e4192482cbe704e0e606e7d64a938e56e42a9742bb261a3613067fe795d9d38fedd681b0cc2b7ed7f17e95bbadf5a31d08dc15ae7 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0ff502b33182d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
whoami.exepid process 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe 2104 whoami.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1796 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exewhoami.exetaskkill.exevssvc.exewmic.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeAUDIODG.EXEMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe Token: SeDebugPrivilege 2104 whoami.exe Token: SeDebugPrivilege 508 taskkill.exe Token: SeBackupPrivilege 1416 vssvc.exe Token: SeRestorePrivilege 1416 vssvc.exe Token: SeAuditPrivilege 1416 vssvc.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: 36 2064 wmic.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: 36 2064 wmic.exe Token: SeDebugPrivilege 3704 MicrosoftEdge.exe Token: SeDebugPrivilege 3704 MicrosoftEdge.exe Token: SeDebugPrivilege 3704 MicrosoftEdge.exe Token: SeDebugPrivilege 3704 MicrosoftEdge.exe Token: SeDebugPrivilege 3124 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3124 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3124 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3124 MicrosoftEdgeCP.exe Token: 33 3088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3088 AUDIODG.EXE Token: SeDebugPrivilege 4188 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4188 MicrosoftEdgeCP.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exepid process 3704 MicrosoftEdge.exe 1796 MicrosoftEdgeCP.exe 1796 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.execmd.exewhoami.exeMicrosoftEdgeCP.exedescription pid process target process PID 672 wrote to memory of 2104 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe whoami.exe PID 672 wrote to memory of 2104 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe whoami.exe PID 672 wrote to memory of 2104 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe whoami.exe PID 672 wrote to memory of 412 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe cmd.exe PID 672 wrote to memory of 412 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe cmd.exe PID 672 wrote to memory of 412 672 120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe cmd.exe PID 412 wrote to memory of 508 412 cmd.exe taskkill.exe PID 412 wrote to memory of 508 412 cmd.exe taskkill.exe PID 412 wrote to memory of 508 412 cmd.exe taskkill.exe PID 2104 wrote to memory of 3140 2104 whoami.exe vssadmin.exe PID 2104 wrote to memory of 3140 2104 whoami.exe vssadmin.exe PID 412 wrote to memory of 2860 412 cmd.exe PING.EXE PID 412 wrote to memory of 2860 412 cmd.exe PING.EXE PID 412 wrote to memory of 2860 412 cmd.exe PING.EXE PID 2104 wrote to memory of 2064 2104 whoami.exe wmic.exe PID 2104 wrote to memory of 2064 2104 whoami.exe wmic.exe PID 2104 wrote to memory of 2860 2104 whoami.exe NOTEPAD.EXE PID 2104 wrote to memory of 2860 2104 whoami.exe NOTEPAD.EXE PID 2104 wrote to memory of 744 2104 whoami.exe WScript.exe PID 2104 wrote to memory of 744 2104 whoami.exe WScript.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1796 wrote to memory of 3124 1796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe"C:\Users\Admin\AppData\Local\Temp\120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\whoami.exe"C:\Users\Admin\AppData\Roaming\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\whoami.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\whoami.lnkMD5
3ee74041996d729538fd1360e5da56f4
SHA12b801337a3c7c60df01bf8dfbb66385a8eaa21e5
SHA256485acb485700b37372e71fb51c1c25b4e727b00fcb45493465283a2a976f00b2
SHA51273e5e867f9fe1692fca1fa453411261f1752fe296eba8648436da69b7c0e0507c21860107fe7edde4d4db2f54b4e1eda8ac321234e2a724a42753d2f448053d4
-
C:\Users\Admin\AppData\Roaming\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\whoami.exeMD5
678fff3a5ab12f5af6bbb814d1810b4c
SHA1b088bc6af8ddba1bee212b6f8bf4dcc66002a4ed
SHA256120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30
SHA5122904ac506a3959c6ed067ad62416ddfa392486f783f62f2eb97b7fe8b66b3292884d95e60886ca61894e9c041937378ad6dd059f9541f5cb170efd46f334bdfc
-
C:\Users\Admin\AppData\Roaming\{A074B1AF-2474-4D8E-3D69-79A6B0292AF2}\whoami.exeMD5
678fff3a5ab12f5af6bbb814d1810b4c
SHA1b088bc6af8ddba1bee212b6f8bf4dcc66002a4ed
SHA256120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30
SHA5122904ac506a3959c6ed067ad62416ddfa392486f783f62f2eb97b7fe8b66b3292884d95e60886ca61894e9c041937378ad6dd059f9541f5cb170efd46f334bdfc
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlMD5
e6405fe44d3e5897b0d7ca08749a69c7
SHA11aba2e5b94f3d994465fc65ea1888f48da71974d
SHA2563a4a612093e111bcb8cfa9857a7c52cd000ae1a42724589be1639f5a49b23fe2
SHA5120f0ec0740da6e89fe70e65badfc0c33a37be51132e51f7745a7441f31f2bbe12539d75f04457906d9a55f9f6b59ba196c8125ebd395e83d3d001b6d3cfaff87f
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtMD5
204ac74bdcb76938131d4b352cb481e6
SHA1cc557623f7225eb065d1665f226e4157afb5d5eb
SHA256abb7f6bcd0a53a71d443dc22e06332461830f169905c098997869086002e4d96
SHA51288c71a9b1cc4e986eae5fd8f400dee615c72db06a32cd0dfd4b8885a272d8cfa660502142852d4610a4fcea3c43a9fa3b0b151c0366d28509982c39a85916b30
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsMD5
f4f62c6f03227c16f4224d94f3df3290
SHA1e5d588a1fba64c8886685b948f51550e4807431e
SHA256794ae25ea84923dbb539d6c7fba91206d56f11606a853ccb1dad54a8f84cebe2
SHA512bcb43c92f5c95dfe301d4c2c219d9dfdebf8b47336c190a639e7436229ae6f7c16b861c422f3c054121962caced526a0d397eb1d93536fcf13e836c0fda67363
-
memory/412-117-0x0000000000000000-mapping.dmp
-
memory/508-118-0x0000000000000000-mapping.dmp
-
memory/744-126-0x0000000000000000-mapping.dmp
-
memory/2064-121-0x0000000000000000-mapping.dmp
-
memory/2104-114-0x0000000000000000-mapping.dmp
-
memory/2860-120-0x0000000000000000-mapping.dmp
-
memory/2860-123-0x0000000000000000-mapping.dmp
-
memory/3140-119-0x0000000000000000-mapping.dmp